Research & News in Tor, Privacy, & Security – Nov 11th, 2014

The Open Observatory of Network Interference (OONI) is currently studying reachability of bridges in countries that impose censorship. They are also studying how effective these countries are at preventing the use of pluggable transports. They are performing several tests. First is a Bridge reachability measurement, which attempts to build a Tor circuit to the bridge being tested. Next is a TCP connect measurement, which attempts a TCP connection to the bridge.

They have compiled around a month’s worth of data that is publicly available for download.

Tor News

A post titled “Thoughts and Concerns about Operation Onymous” was posted on the Tor Blog. The post addresses concerns about how the hidden services involved in the recent takedown were located. The post states that the most likely explanation is an error in operational security by the site owners. A second theory is the exploitation of common bugs in unrelated web applications, such as SQL injections. They quickly mention the possibility of tracking Bitcoin users through transactions, since the hidden services running Bitcoin clients could be victims of such an attack. There could also be a wider issue with the Tor network, since there are known problems that haven’t been solved, and there is always the possibility of unknown attacks. A known attack is the Guard Discovery attack, which cannot reveal the IP address of a hidden service, but can reveal the guard node for a hidden service. The guard node is the only node in a Tor circuit that knows the true IP address of a hidden service. If an attacker can compromise a guard relay, they can launch a traffic confirmation attack. An attacker could also launch a DoS attack on Tor relays, forcing the hidden service to choose the attacker’s malicious relay as a guard node.

They write that “In liberal democracies, we should expect that when the time comes to prosecute some of the seventeen people who have been arrested, the police would have to explain to the judge how the suspects came to be suspects, and that as a side benefit of the operation of justice, Tor could learn if there are security flaws in hidden services or other critical internet-facing services.”

Several Tor relays have reportedly been seized by Law Enforcement. The operators were being investigated for alleged involvement in fraud and international money laundering. Three of the servers were exit relays from Torservers.net, while one was a non-exit relay run by an independent operator.

Privacy News

Earlier this week, Robert Hannigan wrote a controversial article titled, “The web is a terrorist’s command-and-control network of choice.” Hannigan is the director of GCHQ, a British intelligence agency that has felt backlash from citizens in the wake of Edward Snowden’s leaks. He criticized US technology companies for becoming “command and control networks of choice for terrorists and criminals.” He wrote that the radical group ISIS/ISIL “has embraced the web as a noisy channel in which to promote itself, intimidate people and radicalize new recruits.” He also pushed for greater efforts to collaborate with private technology companies, even suggesting a formal information-sharing system. Hannigan stated, “Privacy has never been an absolute right, and the debate about this should not become a reason for postponing urgent and difficult decisions.”

The Calgary Police Department in Canada has announced that they are going to implement facial recognition software. The software is designed to compare photographs taken of suspects with a database of 300,000 mug shots. The Calgary Police Department is the first agency in Canada to implement the technology. Rosemary Hawkins, an inspector, told the CBC “this technology will not be used to identify people walking down the street as a member of the general public. It will be used to identify subjects involved in criminal activity under police investigation and the image searched against our mugshot database, which holds photos of people that have been processed on charges.”

Security News

Google’s Android Security Team has released a tool that can be used for testing for vulnerabilities and misconfigurations in TLS/SSL libraries. The tool is dubbed “nogotofail” and is designed to work on multiple platforms, including Android, iOS, Linux, Windows, Chrome OS, and OS X.

The “WireLurker” trojan has been identified in the wild on iOS and OS X devices. According to a report published by Palo Alto Networks, the malware is included in unauthorized copies of iOS applications. Once a user downloads the application, a trojan is installed as a system daemon. Now, it waits until an iOS device is connected to the user’s computer. It then grabs sensitive information about the device, abusing the trusted pairing between the Mac and iOS devices. Jonathan Zdziarski, an iOS forensics expert, wrote, “The real issue is that the design of iOS’ pairing mechanism allows for more sophisticated variants of this approach to easily be weaponized. While WireLurker appears fairly amateur, an NSA or GCHQ, or any other sophisticated attacker could easily incorporate a much more effective (and dangerous) attack like this.”

A vulnerability called “Rootpipe”, which effects OS X Yosemite and some earlier versions of OS X, was discovered by Emil Kvarnhammara, a security researcher from Sweden. The attack can be used to escalate user privileges on Yosemite and other versions of OS X, granting the user root access without the root password. The researcher contacted Apple about the vulnerability, and they agreed on a date for full disclosure of all details. At this time, no specific information is provided about the attack. A full report is expected to be published in January.